Privacy and data security

The Nemetschek Group stands for responsible and transparent handling of personal data and is committed throughout the company to protecting the data of our employees, customers and partners with the utmost care and in accordance with the applicable data protection regulations. They can rest assured that their data is secure within the Nemetschek Group and is processed in compliance with the relevant legal regulations. Preventing data loss and ensuring the confidentiality, availability and integrity of our data are very important to the Nemetschek Group.

The Nemetschek Group is aware that data protection and data security risks are increasing with increasing digitalisation and networking. It is therefore focussing explicitly on the areas of data protection and data security throughout the Group.

In line with its organisational structure, the Nemetschek Group pursues a largely decentralised approach, which provides for central guidelines as well as monitoring processes and support (based on the parent company), but primarily makes the brand companies responsible (individual responsibility of the brands).

Data protection and data security are shared responsibilities of all Nemetschek Group employees, to which all divisions have committed themselves as part of the Group-wide Code of Conduct.

Compliance with data protection regulations and processes is regularly monitored either by external service providers or by the Corporate Audit department as part of general audits of business processes in cooperation with the Corporate Legal & Compliance and Corporate IT departments.

The Nemetschek Group continuously develops its group-wide data protection and compliance processes in order to meet the current requirements of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and to ensure the highest standards of personal data protection.

A comprehensive, group-wide set of rules ensures that all group companies implement and comply with uniform data protection standards. The central Group Data Protection Guideline (“Group Data Protection Guideline”) forms the binding basis for all group companies and is regularly adapted to new legal and regulatory requirements. Numerous practical templates and documents are available to employees at all times via the group-wide intranet, in both German and English, to ensure efficient and consistent implementation of data protection requirements.

When assuming their responsibilities, all new employees are instructed in handling sensitive/personal data and obligated to confidentiality through their employment contract. Moreover, all employees of the Nemetschek Group (not only European employees) are obligated to undergo privacy/data protection training and to document successful completion.

A dedicated e-learning training course on data protection is offered in both German and English. In addition, regular update training courses are provided to ensure that all employees are always informed about current legal requirements and internal data protection regulations.

Furthermore, website adaptations for data protection (such as the privacy policy, information obligations for applicants, cookies, banners, etc.) were made, along with establishment of group-wide standard order processing contracts and procedural logs for major data handling processes. Personal data is handled on a need-to-know basis (information passed on only to knowledge carriers of immediate importance to the project) with corresponding internal and external access and authorization concepts. Consent is always obtained for creation and use of employee photos/videos if the creation and use cannot be supported by legitimate interests.

As far as the law requires, company privacy officers (internal and external) have been appointed within the companies, and regular professional communication takes place with them as needed.

Processes for meeting legal reporting requirements and deadlines (such as to supervisory authorities) have been set up. All Nemetschek Group employees have the opportunity to report any violations of data protection regulations or company guidelines through the existing whistleblower system. The Nemetschek Group takes every notification on possible violation of data protection regulations very seriously and takes the initiative to clarify the reported matter as quickly as possible.

Nemetschek Group products are developed to the latest state of the art taking into account data security aspects. The vast majority of Nemetschek Group products are installed on locally “on premises” at the customers.

In the subscription model, software solutions are offered both “on premises” and in the cloud. Hosting of cloud solutions, which make up a relatively small portion of the Nemetschek Group product portfolio, is primarily offered in external data centers. To ensure an appropriate level of security, the Group collaborates only with reputable data center providers, and customer data are strictly separated by customer.